Identity and governanceMicrosoft identityIntermediate26 min read

What Does Group Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

A group is a container that holds multiple users or devices so you can manage them all at once instead of one by one. Groups make it easy to grant access to resources, apply policies, or assign licenses to many people at the same time. For example, you can add all the sales team members to one group and then give that group access to a sales database.

Commonly Confused With

A group is a container for users, whereas a role assignment is the act of granting permissions to a group (or a user) at a specific scope. They work together: you assign a role to a group, and the group's members get the permissions. Role assignments are a verb; groups are a noun.

Think of a group as a club membership list, and a role assignment as the key to the clubhouse. The list (group) tells you who is in the club, but you still need to give the key (role assignment) to the list so the club members can enter.

Dynamic group is a type of group, not a separate concept. It is a security or Microsoft 365 group whose membership is automatically updated based on rules. The confusion arises because people sometimes think 'dynamic group' means a special kind of object, but it is simply a group with a membership rule enabled.

A security group can be static (you add members manually) or dynamic (members are added automatically based on attribute rules). Both are still groups. The dynamic version just has a rule attached to it.

An administrative unit is a container that delegates administration of a subset of users or groups to a specific administrator, while a group is about managing permissions to resources. Administrative units are for managing who can manage whom; groups are for managing who can access what.

An administrative unit is like a regional office manager who can only manage users in that office. A group is like a list of employees who get a discount card. They serve different purposes and can work together.

GroupvsEnterprise application

An enterprise application is a service principal that represents an application in your tenant. Groups are used to assign users to enterprise applications or to grant permissions to the application. They are not the same thing. A group does not authenticate; an application does.

An enterprise application is like a vending machine. A group is the list of people who get a free soda from that machine. The machine is the app; the list is the group.

Must Know for Exams

Groups are a heavily tested topic across multiple Microsoft certification exams, particularly the Azure Administrator Associate (AZ-104), Microsoft Azure Fundamentals (AZ-900), and Microsoft Security, Compliance, and Identity Fundamentals (SC-900). For AZ-104, groups appear primarily in the 'Manage identities and governance' domain, which constitutes around 20-25% of the exam. Candidates are expected to know how to create and manage groups in Microsoft Entra ID, assign users and devices to groups, and configure dynamic membership rules.

You may be asked to recommend a group strategy for a given scenario, such as a multinational company with thousands of users that needs to automatically manage access based on employee attributes. For AZ-900, groups are covered at a conceptual level. You should understand the difference between security groups and Microsoft 365 groups, and know that groups are a way to manage access to resources efficiently.

Questions might ask which type of group should be used to grant access to an application, or how groups relate to RBAC. For SC-900, groups are important in the context of identity governance and conditional access. You need to understand how groups are used in access reviews, how they support least privilege principles, and how they factor into Identity Protection policies.

Exam questions often present a scenario where an organization needs to enforce MFA for a specific department, and the correct answer involves creating a group and applying a Conditional Access policy to it. Another common question pattern involves dynamic groups: you may be given a rule expression (e.g.

, user.department -eq 'Sales') and asked to determine which users are added. You could also see questions about group nesting limits, for example, an Azure RBAC role assignment can include a group that contains other groups, but only one level of nesting is allowed.

Understanding the difference between group types and their appropriate use cases is critical. For example, using a Microsoft 365 group to manage permissions to an Azure resource is a mistake because Microsoft 365 groups are designed for collaboration, not resource access. In short, group-related questions appear in multiple forms on these exams, and a solid grasp of the concepts will help you answer scenario-based, multiple-choice, and case-study questions correctly.

Simple Meaning

Imagine you are organizing a party and you have a list of friends you want to invite. Instead of writing each friend's name on a separate invitation and addressing each envelope individually, you create a party list called 'Friends.' Then you write one invitation for the whole list, and the invitation is sent to everyone on that list.

That's exactly what a group does in an IT system. It is a container that holds multiple user accounts together. Once users are collected into a group, you can assign permissions, licenses, or security settings to the group, and every member of that group automatically gets those permissions.

This saves enormous time and prevents errors. For instance, if a new person joins the sales team, you simply add them to the 'Sales Team' group, and they immediately get access to the sales software, the shared folder, and the email distribution list. If you later remove someone from the group, they instantly lose that access.

Groups are also used to apply policies, like password rules or device restrictions. In cloud environments such as Microsoft Azure, groups are central to managing who can do what. They help keep your system organized, secure, and easy to maintain.

Without groups, you would have to manage each user individually, which would be a nightmare in a company with hundreds or thousands of employees. Groups are the building blocks of identity governance.

Full Technical Definition

In Microsoft identity and governance, particularly within Microsoft Entra ID (formerly Azure Active Directory), a group is a directory object that serves as a container for other directory objects, most commonly users, devices, and other groups (nested groups). Groups are fundamental to role-based access control (RBAC) and attribute-based access control (ABAC) scenarios. There are two primary types of groups in Microsoft Entra ID: security groups and Microsoft 365 groups.

Security groups are used to manage access to resources such as applications, SharePoint sites, and Azure resources. They can also be used to apply device configuration policies via Intune or Group Policy in hybrid environments. Microsoft 365 groups, on the other hand, provide a collaborative membership model that automatically provisions a shared mailbox, calendar, document library, and other collaborative tools.

Membership in a Microsoft 365 group grants access to a suite of interconnected services. From a technical perspective, groups support both static and dynamic membership. Static membership requires an administrator or authorized user to manually add or remove members.

Dynamic membership uses rules based on user or device attributes, for example, all users with Department equals 'Sales' and Country equals 'US' are automatically added to the group. Dynamic groups are evaluated periodically by the Microsoft Entra ID provisioning engine, which processes membership changes based on attribute changes in the user object. Groups can be assigned to Azure RBAC roles at management group, subscription, resource group, or individual resource scope.

When a group is assigned an Azure RBAC role, all members of that group inherit the permissions associated with that role. Group nesting is supported in Azure RBAC, but with limitations, a group within an Azure RBAC role assignment cannot be nested more than one level deep. Groups are also used with Conditional Access policies, where they can be included or excluded from specific access controls.

In a hybrid environment, groups can be synchronized from on-premises Active Directory to Microsoft Entra ID using Microsoft Entra Connect. This allows organizations to manage group membership on-premises and have it reflect in the cloud. Groups have universally unique identifiers (GUIDs) that are immutable once created.

Administrators manage groups through the Microsoft Entra admin center, Microsoft Graph API, PowerShell with the Microsoft Graph module, or the Azure CLI. Key properties of a group include its display name, description, membership type (Assigned, Dynamic User, or Dynamic Device), and securityEnabled flag. Groups are subject to licensing requirements, some dynamic group rules require an Azure AD Premium P1 or P2 license.

Understanding the behavior of group membership propagation and the latency of dynamic groups is crucial for exam scenarios.

Real-Life Example

Think of a large library. The library has millions of books, but instead of letting every visitor wander into the restricted back rooms where rare books are stored, the library uses membership cards. Different membership cards give different levels of access.

A 'Gold Member' card lets you access the rare book room, while a 'Standard Member' card only lets you borrow regular books. Now, imagine the library needs to issue a new rule: all Gold Members must now also have access to a new digital archive. Without groups, the librarian would have to find every single Gold Member, update their card, and inform them individually.

That would take days. Instead, the librarian keeps a list of all Gold Members. That list is a group. When a new digital archive is created, the librarian just says 'Give access to the Gold Member group.'

Instantly, every person on that list gets access. When a new person becomes a Gold Member, they are added to the list and automatically get access. If someone loses Gold status, they are removed from the list and lose access.

This is exactly how groups work in Microsoft identity systems. The 'Gold Member group' is a security group in Azure. The library's computer system (the identity provider) assigns permissions to the group, not to the individual people.

This saves time, reduces mistakes, and makes it easy to scale from a small library with a few dozen members to a huge one with thousands. It also ensures consistency, every member of the group gets exactly the same access, which is critical for security and compliance.

Why This Term Matters

Groups are the cornerstone of efficient identity and access management in any organization that uses Microsoft technologies. Without groups, IT administrators would be forced to assign permissions, licenses, and policies to each user individually. In an organization with even a few hundred employees, this becomes unsustainable.

Groups reduce administrative overhead dramatically. For example, if a company hires 50 new salespeople, the administrator can simply add them to the 'Sales' group, and they instantly receive the correct access to CRM software, email distribution lists, and shared drives. Groups also enforce security boundaries.

By using groups in Conditional Access policies, an organization can require multi-factor authentication for all members of the 'Finance' group while allowing simpler sign-in for the 'Marketing' group. This granular control helps protect sensitive data without hindering productivity for less critical roles. Groups are also essential for compliance.

Auditors want to see who has access to what. When permissions are assigned to groups, it is easy to generate reports showing which groups have access to which resources and who the members are. If permissions were assigned directly to users, reporting would be a nightmare.

Groups also enable automation. Dynamic groups automatically add or remove members based on attributes like job title or department, ensuring that access rights stay current as employees change roles. This is especially important in large organizations where manual updates are error-prone.

In exam contexts, the ability to design a group strategy is a common objective. You need to understand when to use a security group versus a Microsoft 365 group, when to use static versus dynamic membership, and how group nesting works in Azure RBAC. A poorly designed group structure can lead to security vulnerabilities or excessive administrative work.

Therefore, mastering groups is not just about passing an exam, it is about being able to build secure, scalable, and manageable identity systems in real-world IT environments.

How It Appears in Exam Questions

Group-related questions on Microsoft exams appear in several distinct patterns. The first pattern is scenario-based identification. You are given a description of an organization's requirements, such as needing to grant access to an application for all employees in the accounting department, and you must choose the correct approach: create a security group, add Accounting users to it, and assign the group permissions to the application.

A distractor might include creating individual user assignments or using a Microsoft 365 group. The second pattern is dynamic group rule evaluation. The question might provide a dynamic membership rule, such as (user.

department -eq 'Engineering') and (user.country -eq 'Canada'), and then list several users with different attributes. You have to identify which users would become members of the group.

These questions test your understanding of the syntax and logic of directory extensions and attribute matching. The third pattern involves group nesting and RBAC. A question might describe a scenario where a group is assigned a Contributor role at the resource group scope, and you are asked what permissions a user in a nested group would inherit.

The correct answer is that the user inherits the role if the nested group is a member of the group with the role assignment, but only if nesting is within the allowed limit (one level). The fourth pattern is about group types. You may be asked to differentiate between security groups and Microsoft 365 groups.

A typical question: 'You need to provide a team with a shared mailbox, calendar, and document library. Which type of group should you use?' The answer would be Microsoft 365 group.

The fifth pattern involves group management tasks in the Azure portal or via PowerShell. For example, a question might ask which PowerShell cmdlet you would use to add a user to a group. Or the question may present a screenshot of the Azure portal and ask where you would configure dynamic membership rules.

The sixth pattern focuses on group-based licensing. You might be asked how to assign Microsoft 365 licenses to a large number of users. The correct answer is to use group-based licensing, where the license is assigned to the group and automatically applied to all members.

Troubleshooting questions might involve why a user did not get a license or why a user did not appear in a dynamic group. The cause could be that the dynamic group rule does not match the user's attributes, or that the user object's attributes were not updated, or that the provisioning cycle has not completed yet. Understanding these patterns will help you quickly recognize what the question is testing and avoid common traps.

Practise Group Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A medium-sized company named Fabrikam has 500 employees. The IT department needs to give the entire Marketing team access to a new analytics dashboard in Azure. The Marketing team has 45 employees, and the team frequently changes, people join, leave, and switch roles.

The IT administrator, Priya, wants to manage this efficiently. She decides to use a security group. Priya creates a new security group in Microsoft Entra ID called 'Marketing-Analytics-Users.'

She configures the group with dynamic membership using a rule: (user.department -eq 'Marketing'). This means that any user who has their department attribute set to 'Marketing' will automatically become a member of the group.

Next, Priya goes to the analytics dashboard application in Azure and assigns the group the 'Reader' role. Now, whenever a new employee joins the Marketing team and their department attribute is set to 'Marketing' in the HR system, that employee is automatically synced to Microsoft Entra ID, the dynamic group rule is evaluated, the user becomes a member of the group, and they automatically gain read access to the analytics dashboard. No manual intervention is needed.

A few weeks later, a Marketing employee moves to the Sales department. Their department attribute is changed to 'Sales.' During the next dynamic group evaluation cycle, the user no longer matches the rule for the Marketing-Analytics-Users group, so they lose access to the dashboard automatically.

This scenario demonstrates the power of groups, especially dynamic groups. It saves Priya hours of work every month, reduces the risk of human error, and ensures that access rights are always aligned with the employee's current role. It also makes auditing easy: the IT auditor can simply look at the group membership rule and the current members to verify compliance.

This scenario is typical of scenario-based questions on the AZ-104 exam, where you have to recommend the most efficient way to manage access for a changing workforce.

Common Mistakes

Using a Microsoft 365 group to assign access to an Azure resource like a storage account or virtual machine.

Microsoft 365 groups are designed for collaboration (mailbox, calendar, SharePoint site), not for managing permissions to Azure infrastructure. Security groups are the correct type for Azure RBAC assignments.

Always use a security group when you need to assign roles to Azure resources. Use a Microsoft 365 group when you need a shared workspace for team collaboration.

Assigning a role directly to a user instead of to a group, even when multiple users need the same permissions.

Direct role assignments increase administrative overhead and make it harder to track who has what access. If you need to change the permissions later, you must change each user individually.

Create a group, add all users who need the permission to the group, and assign the role to the group. This makes management scalable and auditable.

Creating a dynamic group rule that uses attributes not present on the user objects.

If an attribute referenced in the rule does not exist on a user object, or is empty, the user will not be added to the group. This leads to missing access for valid users.

Verify that all user objects have the required attributes populated correctly. Use the Microsoft Entra admin center or Graph API to check attribute values before creating the rule.

Assuming that group membership changes take effect immediately for dynamic groups.

Dynamic group membership is not processed in real time. Microsoft Entra ID evaluates membership rules periodically (typically every few hours). Users might not see immediate access.

Design your processes to account for the latency of dynamic group updates. If immediate access is required, use static groups or manual addition. For dynamic groups, inform users of potential delays.

Nesting a group that is assigned an Azure RBAC role inside another group that also has a role assignment, expecting both roles to apply.

Azure RBAC supports only one level of group nesting. If a group assigned a role contains another group, the nested group's members will inherit the role, but they will not automatically inherit roles from groups that are nested further. The nesting limit can cause unexpected permission gaps.

Avoid deep nesting. Assign roles directly to groups that contain the user objects, or use a flat group structure. Check the RBAC documentation for the current nesting limits.

Exam Trap — Don't Get Fooled

{"trap":"A question asks you to create a group that will automatically include all users in the 'Sales' department and exclude any users who are also in the 'Temporary Employees' department. You are given a choice of using a security group with dynamic rule or a Microsoft 365 group with static membership.","why_learners_choose_it":"Learners might choose the static membership option because they think dynamic rules are too complex for exclusion logic, or they might incorrectly think that Microsoft 365 groups support dynamic rules.

They might also be tempted to create two groups (one for Sales, one for Temporary) and manually manage membership.","how_to_avoid_it":"Dynamic security groups support complex rules using the 'and', 'or', and 'not' operators. The correct answer is to create a security group with a dynamic rule like: (user.

department -eq 'Sales') and (user.department -ne 'Temporary Employees'). Recognize that dynamic groups can handle inclusion and exclusion logic. Always check the capabilities of the group type, only security and Microsoft 365 groups support dynamic membership, but security groups are the right choice for attribute-based access control in this scenario."

Step-by-Step Breakdown

1

Determine the purpose of the group

Before creating a group, decide whether it will be used for security (access control), collaboration (Microsoft 365 services), or both. This determines which group type to use. Security groups are for permissions to resources; Microsoft 365 groups are for team collaboration spaces.

2

Choose the membership type

Decide whether membership will be static (manually managed) or dynamic (rule-based). Static membership is simpler but requires ongoing maintenance. Dynamic membership automates adding and removing members based on user attributes, which is ideal for large or frequently changing organizations.

3

Create the group in Microsoft Entra ID

Navigate to the Microsoft Entra admin center, go to Groups, and select New group. Provide a name and description. Select the group type (Security or Microsoft 365) and the membership type (Assigned, Dynamic User, or Dynamic Device). Fill in required fields and create the group.

4

Configure dynamic membership rules (if dynamic)

If you chose dynamic membership, you must write a rule using the rule builder or a custom expression. The rule uses properties of the user or device object, such as department, jobTitle, or country. The rule syntax uses operators like -eq, -ne, -contains, and logical operators like -and, -or, -not. Example: (user.department -eq 'Sales').

5

Add members manually (if static)

For static groups, select the group after creation, go to Members, and add users, devices, or other groups. You can add members individually or in bulk using CSV upload. You can also use Graph API or PowerShell for automation.

6

Assign permissions or licenses to the group

Once the group has its members, you can grant access to resources. For Azure resources, assign an RBAC role (like Reader, Contributor) to the group at the appropriate scope (subscription, resource group, resource). For applications, assign the group to the enterprise application. For Microsoft 365 licenses, use group-based licensing.

7

Monitor and maintain the group

Periodically review group membership to ensure it is accurate. For dynamic groups, check that the rule is producing the expected members. For static groups, remove users who no longer need access. Use access reviews in Microsoft Entra ID to automate the certification of group membership.

Practical Mini-Lesson

In real-world IT environments, groups are the primary mechanism for scaling identity management. As an Azure or Microsoft 365 administrator, you will spend a significant amount of time creating, configuring, and maintaining groups. The first practical skill is understanding the difference between group scope and group type. Scope refers to whether the group is local to a domain, global, or universal in on-premises Active Directory, but in Microsoft Entra ID, groups are not scoped in the same way. Instead, you focus on type: security group vs. Microsoft 365 group. A security group is your go-to for any resource permission, whether it's an Azure VM, a storage account, a SharePoint site, or an app registration. A Microsoft 365 group is for collaboration and automatically provisions a shared mailbox, calendar, and document library. You can also use a Microsoft 365 group for security permissions in some cases, but it is not recommended for Azure infrastructure.

Dynamic groups are a powerful feature that requires careful planning. Before implementing a dynamic group rule, you must ensure that the attributes you want to use are populated in the user or device objects. For example, if you plan to use 'department', you need to confirm that the HR system syncs this attribute to Microsoft Entra ID. You also need to understand that dynamic group evaluation is not real-time, it can take up to 24 hours for a change to affect membership, although it is usually faster. This latency can cause frustration if users expect immediate access after an attribute change. For critical scenarios, use a static group and add the user manually, then later migrate to dynamic membership once the rules are tested.

Another practical consideration is group nesting. In Azure RBAC, you can add a group as a member of another group, but only one level of nesting is allowed. This means if Group A contains Group B, and Group B contains Group C, you cannot assign a role to Group A and expect members of Group C to inherit the role. The role will only flow to members of Group A and the direct members (Group B), not to members of Group C. Therefore, keep your group hierarchy flat to avoid permission issues.

Using groups for group-based licensing is another practical skill. When you assign a Microsoft 365 license to a group, all members automatically get the license. However, there are pitfalls: if a user already has a license assigned directly, and you also assign a different license via a group, the user may end up with conflicting licenses. Group-based licensing uses a 'direct' plus 'group' licensing model, so you need to plan the total license assignment per user carefully.

Finally, monitoring group membership is critical for security and compliance. Use Microsoft Entra ID access reviews to periodically require group owners or managers to certify that members still need access. This helps prevent accumulation of unwanted permissions. In the exam, you may be asked about the steps to set up an access review for a group, including who can be a reviewer and how the review results are applied.

What can go wrong? The most common issue is misconfigured dynamic group rules that either include no one or include many unintended users. For example, using a wildcard incorrectly or missing parentheses can break the rule. Always test dynamic rules with a small set of users before applying them broadly. Another issue is assigning a role to a group that contains guest users, and the role includes permissions that guest users should not have (like ability to invite more guests). Understand the behavior of guest users in groups.

groups are a tool you will use daily. Master the creation, membership type selection, rule writing, and role assignment process. Practice writing dynamic membership rules in the Azure portal rule builder. Know the PowerShell cmdlets: New-AzureADGroup, Add-AzureADGroupMember, Set-AzureADGroup. For Microsoft Graph, use the /groups endpoint. The more you practice, the easier the exam questions will be.

Memory Tip

Groups gather access, think of a 'group' as a 'gang' that shares one key. Assign the key to the gang, not to each person.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the difference between a security group and a Microsoft 365 group?

A security group is used to control access to resources like Azure VMs, storage, and applications. A Microsoft 365 group is used for collaboration and automatically creates a shared mailbox, calendar, and document library. Security groups are for permissions; Microsoft 365 groups are for teamwork.

Can I convert a static group to a dynamic group?

No, you cannot directly convert a static group to a dynamic group. You must create a new dynamic group and move members over. The group ID will be different, so any role assignments or application assignments will need to be updated to point to the new group.

How long does it take for a dynamic group membership to update?

It can take up to 24 hours, but typically it updates within a few hours. The evaluation occurs periodically based on the tenant's load. There is no way to force an immediate evaluation, so plan for latency in your processes.

Can a group contain other groups?

Yes, a group can contain other groups. This is called nesting. In Azure RBAC, only one level of group nesting is supported. In on-premises Active Directory, deeper nesting is possible, but it is generally not recommended due to complexity and performance issues.

What happens to a user's permissions when they are removed from a group?

The user loses any permissions that were granted through that group. The loss is not retroactive – the user loses access immediately after the group membership change takes effect (though there may be a short propagation delay).

Can I assign an Azure RBAC role to a Microsoft 365 group?

Technically yes, but it is not recommended. Microsoft 365 groups should be used for collaboration, and assigning RBAC roles to them can cause confusion and unexpected behavior. Always create a security group for Azure resource permissions.

How do I give a group owner the ability to manage membership?

In Microsoft Entra ID, you can assign one or more owners to a group. Owners can manage membership (add/remove users) but cannot delete the group or change its type. To assign an owner, go to the group's properties and select 'Owners'.

Summary

A group is a fundamental concept in Microsoft identity and governance that allows administrators to manage access to resources efficiently by collecting users, devices, and other objects into a single container. Instead of assigning permissions and policies to each individual, you assign them to the group, and every member automatically inherits those settings. This approach saves time, reduces errors, and makes it possible to manage access at scale in organizations with hundreds or thousands of users.

There are two primary types of groups in Microsoft Entra ID: security groups, which are used for resource permissions and policy application, and Microsoft 365 groups, which are used for collaboration and automatically provision shared workspaces. Groups can have static membership, where an administrator manually adds or removes members, or dynamic membership, where members are automatically added based on attribute rules written in a simple expression language. Dynamic groups are particularly useful for automating access management in large or rapidly changing organizations.

In exams like AZ-104, AZ-900, and SC-900, groups appear in scenario-based questions, rule evaluation exercises, and troubleshooting tasks. You need to know when to use security groups versus Microsoft 365 groups, how to create and manage groups, how to write dynamic membership rules, and how to assign roles and licenses to groups. Common mistakes include using the wrong group type for the task, expecting immediate updates from dynamic groups, and misconfiguring dynamic group rules.

The key takeaway is that groups are your primary tool for scalable, maintainable, and secure identity management. Memorize the phrase 'Groups gather access' to remind yourself that permissions should be assigned to groups, not to individuals.